In today's situation where various crimes using a network such as a DDoS attack, hacking, and the like are increasing and the problem is becoming increasingly serious, there is a growing need for information security. Focusing on that traffic characteristics change during a DDoS attack, hacking, or the like, many researches are being conducted on methods of detecting abnormalities by observing network traffic. For example, refer to “Technical Research on High-traffic Observation and Analysis Method (Information Security Guard R&D Evaluation Services)” in 15 Jokei No. 1632, April/2004, Information-technology Promotion Agency (IPA).
More specifically, according to the result of analyzing 12 representative attack cases, it is found that a delay in the DNS request increases by 230% and a delay in the web access also increases by 30% in the presence of malicious traffic. For example, refer to Kun-chan Lan, Alefiya Hussain and Debojyoti Dutta, “The effect of malicious traffic on the network” in proceeding of PAM, Apr. 6-8, 2003, La Jolla.
In addition, as a network-based anomaly detection, “Review of Anomaly-based Network Intrusion Detection, Jonathan Werrett, 2003/05/26” discloses an approach as described below. Specifically, as a probability-based approach, the probability of a possible value in a packet field is estimated and a packet including a field having a value of the low probability or a new value is tagged as “anomalous” and thereby detected as an unauthorized access. Moreover, as a multivariate approach, a lot of variables such as the number of packets, the number of sessions per unit time, and the like are used as inputs and the probabilities of the variables are estimated to detect the unauthorized accesses. Furthermore, as a state-based approach, sessions are reconstructed and state transitions of protocols, Internet Protocol (IP), and sessions are detected as probabilities to detect the unauthorized accesses. A normal session begins with SYN and ends with FIN. Therefore, a case including any different condition is tagged as “anomalous.”
Furthermore, for the network administrative department in a communications carrier or an Internet Service Provider (ISP), it is an indispensable element of nonstop operation to detect a network failure at an early stage. Thus, a study is being conducted on a mechanism for deducing the cause of the network failure from a phenomenon specific to the cause of the failure.
In addition, as for the traffic engineering (TE), it has conventionally been studied to select an optimal path according to the current situation related to the load on a network or a server. The current situation related to the load on a network or a server is one of network contexts.
A certain concept of TE is based on maximizing the network performance by utilizing a planar expanse of a network in order to select a path. As for information on this concept, refer to, for example, D. Awduche, et al., “Overview and principles of Internet traffic engineering,” RFC3272, IETF, May 2002, M. Katoh, T. Soumiya, K. Nakamichi, K. Takashima, H. Yamada and A. Chugo, “A study of IP traffic engineering mechanisms,” ITG2002, Duisburg, Germany, March 2002, A. Okamura, K. Nakamichi, H. Yamada and A. Chugo. “A QoS Control Method Cooperating with a Dynamic Balancing Mechanism,” APNOMS2003, Japan, September 2003, Hitoshi Yamada, Akiko Okamura, Akira Chugo and Masafumi Katoh, “IP Network Control Architecture for Providing On-Demand QoS Guarantee Service,” WTC2004 (Sep. 11-16, 2004), and so forth.
Specifically, even if congestion or a failure occurs in a certain place on the network, the network service performance is maintained by dynamically bypassing the traffic toward another place. Moreover, when selecting a path or a server to ensure network resources for QoS guarantee, the resources to be ensured are equally dispersed. This enables an increase in the number of acceptable requests and maximizing the network performance. It means an increase in the probability of request acceptance without a call loss for a user and an increase in the service charge income for a network service provider. Moreover, because it is a basic principle of the two-dimensional TE to use the network completely, it can be said to be a technique to avoid a useless investment such as installing new equipments to cope with an instantaneous lack of resources.
The concept of the two-dimensional TE utilizing the planar expanse of the network can be expanded into the three-dimensional TE utilizing a spatial expanse of the network. Generalized Multi-protocol Label Switching (GMPLS) aims to integrally control and manage various layer paths including an optical wavelength path, a time division multiplexing (TDM) path, and a multi-protocol label switching (MPLS) path. Therefore, when the traffic volume in an MPLS network increases in the long term and the capacity of the entire network is insufficient, the two-dimensional TE reaches critical limit. When another optical wavelength plane is used anew on such an occasion as this, it becomes possible to absorb the traffic volume expected to overflow, thereby further improving the robustness and availability of the network by means of optimal path finding and traffic dispersion with consideration given to a plurality of wavelength planes. As for these techniques, refer to Toshio Soumiya, Shinya Kano, Akira Chugo and Masafumi katoh, “Robust and Efficient Control Method for Multilayered GMPLS Networks,” WTC2004 (Sep. 11-16, 2004), Chung-Fong Su and Hung-Ying Tyan, “Multi-layer Traffic Engineering for OPEX Reduction in IP over WDM Networks,” WTC2004 (Sep. 11-16, 2004), and so forth.
Moreover, recently, public attention is focused on a Contextware service control for dynamically changing a method of providing a service according to the user's situation. For example, refer to Masafumi Katoh, “Ubiquitous Network Strategy—Utilization of Knowledge using Network and Middleware—”, [online], Jun. 24, 2004, Ubiquitous Networking Forum, Ubiquitous Strategy Symposium, Internet <URL:http://www.ubiquitous-forum.jp/documents/sympo20040624/index.html>, and so forth.
Moreover, there has already been suggested that technical know-how and knowledge (i.e. network context) obtained through network operations are utilized by reflecting them on the network controls. As for the detailed information, refer to Kazuo Imai, “Fourth Generation Mobile Network and Expansion to Ubiquitous Network,” [online], Jul. 20, 2004, The Institute of Electronics, Information and Communication Engineers (IEICE) Technical Committee on Ubiquitous and Real-World Oriented Networking (URON), Internet <URL: http://www.ieice.org/cs/uron/workshop2004.html> and so forth.
Moreover, there has been suggested a network control method including deducing a user's intention from the user's situation, setting requirements to the network while referring to a user profile, and searching for an optimal path by using a network context while referring to the policy of a service provider and the policy of a network operator.
Moreover, JP-A-2000-253055 discloses a path control method having a low incidence of call loss and a low load on a network. Specifically, it includes carrying out a routing by a routing table search when a resource reservation request occurs and causing an application to generate information concerning a call duration, storing the information into the resource reservation request packet and causing respective nodes to transfer the packet, predicting changes in the bandwidth capacity on the network from the information concerning the call duration in the respective nodes, and reflecting the information on the routing at the time of the resource reservation. However, the technique of this publication causes the application itself using the network to inform the call duration and predicts changes in the bandwidth capacity on the network, which includes the call, on the basis of the information. Therefore, consideration can be made for only bandwidth changes within holding time from the actual occurrence of the call to a time when the call will disappear, however, this technique is not intended to predict a future traffic transition before the occurrence of the call. Granted that the network resources are optimized on the basis of this prediction, only the short-time transition is considered. Therefore, this technique has a limit on improving resource efficiencies by optimization. Moreover, the publication does not mention any method of using the prediction for optimizing the network resources.
Originally, much knowledge exists on networks. For example, a study is being conducted of finding out information leakage by viewing information concerning an upper layer such as an e-mail title or the content of the e-mail. In the present application, however, it is assumed to use knowledge obtained from “an amount of layer 3 packets” and “traffic volume” that can be generally known on networks originally.
Conventionally, empirical knowledge obtained through network operations has been commonly used. For example, the timing for expansion of equipments and facilities is judged from a long-term trend of increased demands. Furthermore, when an occurrence of planning-type congestion caused by an event is anticipated, a cache function is provided near users to reduce the load on the traffic of the core network. Furthermore, at the time of earthquake or other abnormal conditions, blocking of calls is often used. In this manner, various countermeasures are taken through knowledge of experts as human beings. There has not been, however, carried out any routing using knowledge quantitatively and dynamically.
While various researches have been conducted to detect a mixture of trouble or malicious traffic by observing traffic as described above, they are based on the premise of offline analysis and thus are only assumed to be used as a tool only for obtaining a formal knowledge.
Furthermore, like an intrusion detection system (IDS) or an intrusion prevention/protection system (IPS), there are being developed techniques of detecting an unauthorized intrusion from an accidental increase of traffic or from a difference in pattern from the past. Furthermore, there is an example of the reactive control to block the intrusion when it is determined unauthorized. It is, however, limited to controls that are reactive and for use in protecting endpoints. More specifically, it is not adapted to control the entire network in a preventive manner so as to satisfy a certain service criterion by using knowledge accumulated in the network.
Furthermore, while the traffic engineering aims at the efficient use of network resources, the optimum resource allocation is conducted based on the current traffic. More specifically, the knowledge obtained through the past operations is not used and therefore only an instantaneous optimum solution is obtained.
Still further, while the document discussing the contextware service control describes a concept using a network context or a brief information flow, it does not describe how the network context should be collected and be used as a practical matter.